Data traffic didn't flow in the IPSec tunnel

Publication Date: 2013-08-28Views: 1245Downloads: 0

Issue Description

A customer wanted to establish a IPSec tunnel between Huawei firewall USG2200 and Juniper firewall. When the IPSec tunnel is successfully established, the customer said that they can neither ping from 192.168.1.0/24 to 10.224.11.0/24 nor ping from 10.224.11.0/24 to 192.168.1.0/24.
The topology from the customer is as follows.

Juniper firewall :
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
4. In the USG2200, we can see the there are output data packets but no input data packet.
<USG2200>display ipsec statistics
13:05:30 2013/08/07
the security packet statistics:
input/output security packets: 0/10input/output security bytes: 0/840
input/output dropped security packets: 0/0
……
So we suppose that the interface g0/0/6 in the Juniper firewall is down. When we checked that, actually the interface g0/0/6 is down. That is why the customer can neither ping from 192.168.1.0/24 to 10.224.11.0/24 nor ping from 10.224.11.0/24 to 192.168.1.0/24. In this case, as the customer had pulled the cable from g0/0/6 of Juniper firewall, the interface g0/0/6 turned down, so they can’t ping the IP of the interface g0/0/6 from USG2200.
As the customer just wanted to test if the data packet would pass through the IPSec tunnel, we set an IP in 10.225.11.0/24 as the loopback of Juniper firewall, then it worked, so the problem was solved.

Root Cause

1. The IPSec tunnel is not configured right.
2. The ACL dismatch.
3. The interzone policy is not configured right.
4. The interface is not up.

Suggestions

When ping the interface IP of firewall, please make sure that the interface is UP.